Using Entanglement in Quantum Multi-Prover Interactive Proofs 



Julia Kempe* 
School of Computer Science 
Tel Aviv University 
Tel Aviv, Israel 

Keiji Matsumoto^ 
Principles of Informatics Research Division 
National Institute of Informatics 
Tokyo, Japan 



Hirotada Kobayashi^ 
Principles of Informatics Research Division 
National Institute of Informatics 
Tokyo, Japan 

Thomas Vidick-'- 
Computer Science Division 
University of California, Berkeley 
USA 



February 2, 2008 



Abstract 

The central question in quantum multi-prover interactive proof systems is whether or not entangle- 
ment shared between provers affects the verification power of the proof system. We study for the first 
time positive aspects of prior entanglement and show that entanglement is useful even for honest provers. 
We show how to use shared entanglement to paralleUze any multi-prover quantum interactive proof sys- 
tem to a one-round system with perfect completeness, with one extra prover. Alternatively, we can also 
parallelize to a three-turn system with the same number of provers, where the verifier only broadcasts the 
outcome of a coin flip. This "public-coin" property is somewhat surprising, since in the classical case 
public-coin multi-prover interactive proofs are equivalent to single prover ones. 
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1 Introduction 



Multi-prover interactive proof systems are a central notion in theoretical computer science. An im- 
portant generalization of interactive proof systems IIGMR891 IBab85ll . they were originally introduced 
in IIBOGKW881I in a cryptographic context. Later it was shown IIBFL91I IFRS94II that the class MIP of 
languages having a multi-prover interactive proof system is equal to NEXP, which led to the development 
of the theory of inapproximability and probabilistically checkable proofs iFGL"'"96llAS98[|ALM"'"98l . 

In a multi-prover interactive proof system, a verifier communicates with several provers, which do not 
communicate with each other. One of the central challenges in this area is to understand the power of 
quantum multi-prover interactive proof systems (QMIP systems). In particular, the major open question is 
how entanglement shared among the provers affects these systems. This question is unique to the quantum 
world, since the related classical resource of shared randomness is known not to affect the power of such 
systems. It is not even clear whether entanglement increases or decreases the verification power of QMIP 
systems. On one hand, using entanglement, dishonest provers might cheat more easily, thereby breaking the 
soundness of the system. On the other hand, the increased power that entanglement gives to honest provers 
could be harnessed by the verifier, increasing the expressivity of the proof system. 

To the best of our knowledge, all previous results in this area (see below) have focused on the former 
case, studying the negative effects of entanglement, i.e., whether or not dishonest entangled provers can 
break proof systems that are sound for any dishonest unentangled provers. Our work is the first to focus on 
the positive aspects of entanglement, where shared entanglement may be advantageous to honest provers. 

1.1 Previous and related work 

Kobayashi and Matsumoto IIKM03I introduced QMIP systems with a quantum verifier, and proved that 
the class of languages having a quantum multi-prover interactive proof system is equal to NEXP when 
the provers do not share any prior entanglement, and is contained in NEXP when they share at most 
polynomially many entangled qubits. Cleve, H0yer, Toner, and Watrous IICHTW 04 I studied multi-prover 
interactive proof systems in which the verifier remains classical but provers may initially share entan- 
glement, and presented several protocols for which shared EPR pairs can increase the power of dis- 
honest provers. They also proved that the class of languages having some restricted version of multi- 
prover interactive proof system, denoted by ©MIP* (2,1), is contained in EXP when provers are al- 
lowed to share prior entanglement (Wehner IIWeh06ll improved the upper bound to QIP(2), the class 
of languages having a two-message quantum interactive proof system), which is in stark contrast to the 
con^esponding class ©MIP (2, 1) without prior entanglement, which is equal to NEXF0. Very recently, 
Kempe, Kobayashi, Matsumoto, Toner, and Vidick [KKM+07 | gave limits on the cheating power of dis- 
honest entangled provers in some quantum and classical multi-prover interactive proof systems, by show- 
ing how such proof systems can be "immunized" against the use of entanglement by dishonest provers. 
Ito, Kobayashi, Freda, Sun, and Yao ilKP+07 1 and Cleve, Gavinsky, and Jain [ CGJ07II also gave limits on 
the cheating power of entangled provers for some classical multi-prover interactive proof systems. 

All these studies focus only on the negative aspects of prior entanglement, i.e., whether or not dishonest 
but prior-entangled provers can break the soundness of the proof system. 

1.2 Our Results 

This paper studies the positive aspects of prior entanglement and shows a number of general properties of 
QMIP systems, extensively using prior entanglement for honest provers. This gives the first evidence that 
prior entanglement is useful even for honest provers. Our main theorem states that any quantum A;-prover 

'for some two-sided bounded error 
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interactive proof system that may involve polynomially many rounds can be parallelized to a one-round 
quantum {k + l)-prover interactive proof system of perfect completeness and such that the gap between 
completeness and soundness accepting probabilities is still bounded by an inverse-polynomial. 

To state our results more precisely, let QMIP(fc, m, c, s) denote the class of languages having an m-turn 
quantum fc-prover interactive proof system with completeness at least c and soundness at most s, where 
provers are allowed to share an arbitrary amount of entanglement. We call the difference c — s the "gap" 
in this paper. As commonly used in classical multi-prover interactive proofs we use the term "round" to 
describe an interaction consisting of questions from the verifier followed by answers from the provers. We 
use the term "turn" for messages sent in one direction. One round consists of two turns: a turn for the verifier 
and a turn for the provers. Let poly and poly~^ be the sets of all polynomially bounded functions and all 
inverse-polynomial functions, respectively. Throughout this paper we assume that the number m of turns 
and the number k of provers are functions in poly with respect to the input size, and that completeness c and 
soundness s are functions of the input size c, s : Z+ —>■ [0, 1]. Then we show the following main theorem. 

Theorem 1. For any k,m G poly and c, s satisfying c — s G poly^^ there exists a function p G poly such 



Since it is easy to amplify the success probability without increasing the number of rounds by running 
multiple instances of a proof system in parallel using a different set of provers for every instance, the above 
theorem shows that one-round (i.e., two-turn) QMIP systems are as powerful as general QMIP systems. 

Corollary 2. For any k,m G poly and c, s satisfying c — s ^ poly~^, and p G poly, there exists k' G poly 
such that QMIP(A:, m, c, s) C QMIP(A;', 2, 1, 2"^). 

The proof of our main theorem comes in three parts, corresponding to Sections [3l IH and ID The first 
part shows how to convert any QMIP system with two-sided bounded error into one with one-sided bounded 
error of perfect completeness without changing the number of provers. The second part shows that any 
QMIP system with polynomially many turns can be parallelized to one with only three turns (messages 
from the provers followed by questions from the verifier followed by responses from the provers) in which 
the gap between completeness and soundness is still bounded by an inverse-polynomial. Again the number 
of provers remains the same in this transformation. Finally, the third part shows that any three-turn QMIP 
system with sufficiently large gap can be converted into a two-turn (i.e., one-round) QMIP system with 
inverse-polynomial gap, by adding an extra prover. 

Similar statements to our first and second parts have already been shown by Kitaev and Watrous IIKWOOII 
for single-prover quantum interactive proofs. Their proofs, however, heavily rely on the fact that a single 
quantum prover can apply arbitrary operators over all the space except for the private space of the verifier. 
This is not the case any more for quantum multi-prover interactive proofs, since now a quantum prover 
cannot access the qubits in the private spaces of the other quantum provers, in addition to those in the 
private space of the verifier. Hence new methods are required for the multi-prover case. 

To transform proof systems so that they have perfect completeness, our basic idea is to use the quantum 
rewinding technique developed for quantum zero-knowledge proofs by Watrous IIWat06l . but in a different 
way. In our case we use it to "rewind" an unsuccessful computation that would result in rejection into a suc- 
cessful one. To apply the quantum rewinding technique, we first modify the proof system so that the honest 
provers can convince the verifier with probability exactly ^ using some initial shared state and moreover 
no other initial shared state achieves a higher acceptance probability. This initial shared state corresponds 
to the auxiliary input in the case of quantum zero-knowledge proofs, and thus, as in that scenario, the se- 
quence of forward, backward, and forward executions of the protocol achieves perfect completeness. The 
obvious problem of this construction lies in proving soundness, as the dishonest provers may not use the 
same strategies for all of the three executions of the proof system. To settle this, we design a simple protocol 
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that tests if the second backward execution is indeed a backward simulation of the first forward execution. 
The verifier performs with equal probability either the original rewinding protocol or this invertibility test 
without revealing which test the provers are undergoing. This forces the provers to use essentially the same 
strategies for the first two executions of the protocol, which is sufficient to bound the soundness. As a result 
we prove the following. 

Theorem 3. For any k,m ^ poly and c, s satisfying c — s G poly^^, and p G poly, there exists m' G poly 
such that QMIP(/c, m, c, s) C QMIP(A;, m' , 1, 2"^). 

For the parallelization to three turns, our approach is to first show that any QMIP system with sufficiently 
large gap can be converted into another QMIP system with the same number of provers, in which the number 
of rounds (turns) becomes almost half of that in the original proof system. The proof idea is that the verifier 
in the first turn receives the snapshot state from the original system after (almost) half of turns have been 
executed, and then with equal probability executes either a forward-simulation or a backward-simulation of 
the original system from that turn on. Honest provers only have to simulate the original system to convince 
the verifier, while any strategy of dishonest provers with unallowable high success probability would lead to 
a strategy of dishonest provers in the original system that contradicts the soundness condition. By repeatedly 
applying this modification, together with Theorem[3]as preprocessing, we can convert any QMIP system into 
a three-turn QMIP system with the same number of provers that still has an inverse polynomial gap. 

Theorem 4. For any k,m ^ poly cind c,s satisfying c — s ^ poly^^, there exists p G poly such that 



For k = 1, this gives an alternative proof of the parallelization theorem due to Kitaev and Wa- 
trous HKWOOl for single-prover quantum interactive proofs. It is interesting to note that our parallelization 
method does not need the controUed-swap test at all, while it is the key test in the Kitaev-Watrous paralleliza- 
tion method. Another point worth mentioning in our method is that, at every time step of our parallelized 
protocol, the whole system has only one snapshot state of the original system. This is in contrast to the 
fact that the whole system has to simultaneously treat many snapshot states in the Kitaev-Watrous method. 
The merit of our method is, thus, that we do not need to treat the possible entanglement among different 
snapshot states when analyzing soundness, which may be a main reason why our method works well even 
for the multi-prover case. Moreover, our method is more space-efficient than the Kitaev-Watrous method, 
in particular when we parallelize a system with polynomially many rounds. 

To prove the third part, we will take a detour by proving that 

(i) any three-turn QMIP system with sufficiently large gap can be modified to a three-turn public-coin 
QMIP system with the same number of provers and a gap of roughly similar order of magnitude, 

(ii) any three-turn public-coin QMIP system can be converted into a two-turn QMIP system without 
changing completeness and soundness, by adding one extra prover. 

The notion of public-coin QMIP systems we use is a natural generalization of public-coin quantum in- 
teractive proofs in the single-prover case introduced by Marriott and Watrous IIMW05II . The corresponding 
complexity class is denoted by QMIP-p^^{k, m, c, s) in this paper. Intuitively, at every round, a public-coin 
quantum verifier flips a fair classical coin at most polynomially many times, and then simply broadcasts the 
result of these coin-flips to all the provers. Property (i) is a generalization of the result by Marriott and Wa- 
trous IIMW05II to the multi-prover case, whereas property (ii) is completely new. The idea to prove (ii), 
assuming that the number of provers in the original proof system is k, is to send questions only to the first k 
provers in the new {k + l)-prover system, requesting the original second messages from the k provers in the 
original system. The verifier expects to receive from the {k + l)-st prover the original first messages from 
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the k proveis in the original system without asking any question to that prover. The public-coin property 
of the original system implies the nonadaptiveness of the messages from the verifier, which is essential to 
prove (ii). In fact, there is a way to directly prove the third part, but our detour enables us to show another 
two important properties of QMIP systems. Specifically, property (i) essentially proves the equivalence of 
public-coin quantum /c -prover interactive proofs and general quantum /c-prover interactive proofs, for any 
k. 

Theorem 5. For any k,m €z poly and c, s satisfying c — s G poly~^, and p G poly, there exists m! G poly 
such that QMIP(A;, m, c, s) C QMIPp^bCA;, m\ 1, 2-p). 

Note that in the classical case, pubUc-coin multi-prover interactive proofs are only as powerful as single- 
prover interactive proofs: because every prover receives the same question from the verifier it means that 
every prover knows how other provers will behave and the joint strategy of the provers can therefore be 
simulated by a single prover. Hence, these systems cannot be as powerful as general classical multi-prover 
interactive proofs unless NEXP = PSPACE. In contrast, our result shows that in the quantum case, public- 
coin QMIP systems are as powerful as general QMIP systems. The non-triviality of public-coin QMIP 
systems may be explained as follows: even if every quantum prover knows how other quantum provers will 
behave, still each quantum prover can apply only local transformations over a part of some state that may 
be entangled among the provers, which is not enough to simulate every possible strategy a single quantum 
prover could follow. 

Property (ii) for the case k = 1 implies that any language in QIP (and thus in PSPACE) has a two- 
prover one-round quantum interactive proof system of perfect completeness with exponentially small error 
in soundness, since any language in QIP has a three-message pubUc-coin quantum interactive proof system 
of perfect completeness with exponentially small error in soundness IIMW05I . 

Corollary 6. For any p £ poly, QIP C QMIP(2, 2, 1, 2"^) (and thus VSVKCYj C QMIP(2, 2, 1, 2-P)j. 

In the classical case a similar statement to the last corollary was shown by Cai, Condon, and Lip- 
ton IICCL94II (and the stronger statement that two-prover one-round interactive proofs are as powerful as 
general multi-prover interactive proofs was shown later by Feige and Lovasz IIFL92I ). All these results 
are, however, not known to hold under the existence of prior entanglement among the provers. Before our 
result, it has even been open if PSPACE has a two-prover one-round quantum interactive proof system. 
(Very recently, Kempe et al. iKKM"'"07l succeeded in proving that the classical two-prover one-round inter- 
active proof system for PSPACE in Ref. IICCL94I is sound in a weak sense against any pair of dishonest 
prior-entangled provers: soundness is bounded away from one by an inverse-polynomial. Their result is 
incomparable to ours since on one hand we have a much stronger soundness condition, and on the other 
both the verifier and the honest provers must be quantum. In contrast, in Ref. llKKM+OTt both of them just 
follow a classical protocol.) 

Finally, we stress again that our constructions extensively use the prior shared entanglement of the 
provers in a positive sense. In particular, even if the honest provers in the original proof system do not need 
any prior entanglement at all, the honest provers in the constructed proof system do need prior entanglement 
in many cases. Most of the properties proved in this paper (Theorems [T] and [5] and Corollary [6] in particu- 
lar) are not known to hold when considering only initially unentangled honest provers, and thus give first 
evidence that sharing prior entanglement may be advantageous even to honest provers. 

2 Preliminaries 

We assume that the reader is familiar with the quantum formalism, including the quantum circuit model and 
definitions of mixed quantum states (density operators) and fidelity (all of which are discussed in detail in 
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Refs. IINCOOl IKSV02L for instance). This section summarizes some of the notions and notations that are 
used in this paper, reviews the model of quantum multi-prover interactive proof systems and introduces the 
notion of public-coin quantum multi-prover interactive proof systems. 

As in earlier work [Wat03, KWOO, KM03I . we define QMIP systems in terms of quantum circuits. It is 
assumed that our circuits consist of unitary gates, which is sufficient since non-unitary and unitary quantum 
circuits are equivalent in computational power IIAKN9 81. To avoid unnecessary complication, however, in 
the subsequent sections the descriptions of protocols often include non-unitary operations (measurements). 
Even in such cases, it is always possible to construct unitary quantum circuits that essentially achieve the 
same outcome. A notable exception is in the definition of the public-coin quantum verifier, where we want 
to define the public coin-flip to be a classical operation. This requires a non-unitary operation for the verifier, 
the (classical) public coin-flip. 

When proving statements that involve the perfect-completeness property, we assume that our universal 
gate set satisfies some conditions, which may not hold with an arbitrary universal gate set. Specifically, we 
assume that the Hadamard transformation and any classical reversible transformations are exactly imple- 
mentable in our gate set. Note that this condition is satisfied by most of the standard gate sets including the 
Shor basis | Sho96 1 consisting of the Hadamard gate, the controlled-i-phase-shift gate, and the Toffoli gate, 
and thus, we believe that this condition is not restrictive. We stress that most of our main statements do 
hold with an arbitrary choice of universal gate set (the completeness and soundness conditions may become 
worse by negligible amounts in some of the claims, which does not affect the final main statements). 

All Hilbert spaces in this paper are of dimension a power of two, spanned by qubits. We will use the 
following property of fidelity. 

Lemma 7 ( IISR021INS03II ). For any density operators p,cr,^ over a Hilbert space H, 
F{p,af + F{a,if<l + F{p,i). 

Quantum Multi-Prover Interactive Proof Systems (QMIP systems): Throughout this paper k and k' 
denote the number of pro vers and m, m' denote the number of turns. All of these are from the set of 
polynomially bounded functions in the input size denoted by poly. Further, c and s denote functions of 
the input size into [0, 1] corresponding to completeness and soundness. For notational convenience in what 
follows we will omit the arguments of these functions. 

A quantum /c-prover interactive proof system consists of a verifier V with private quantum register V 
and k provers Pi, . . . , with private quantum registers Pi, . . . , P^, as well as quantum message registers 
Ml, ... , Mfc, which without loss of generality are assumed to have the same number of qubits, denoted by 
(7m- One of the private qubits of the verifier is designated as the output qubit. At the beginning of the 
protocol, all the qubits in (V, Mi, ... , M^) are initialized to |0 • • • 0), and the qubits in (Pi, . . . , P^) are in 
some a priori shared state |4>) prepared by the provers in advance (and hence possibly entangled), which 
w.l.o.g. can be assumed to be pure. No direct communication between the provers is allowed after that. 
The protocol consists of alternating turns of the provers and of the verifier, starting with the verifier, if m is 
even, and with the provers otherwise. At a turn of the verifier, V applies some polynomial-time circuit to the 
qubits in (V, Mi, ... , M^), and then sends each register Mj to prover Pj. At a turn of the provers each prover 
Pi applies some transformation to the registers (Pj, Mj) for 1 < i < and sends Mj back to the verifier. 
The last turn is always a turn for the provers. After the last turn the verifier applies a polynomial-time circuit 
to the qubits in (V, Mi, . . . , Mjt), and then measures the output qubit in the standard basis, accepting if the 
outcome is |1) and rejecting otherwise. 

Formally, an m-tum polynomial-time quantum verifier V for /c -prover QMIP systems is a polynomial- 
time computable mapping from input strings j; to a set of polynomial-time uniformly generated circuits 
. . . , y }, and a partition of the space on which they act into registers (V, Mi, ... , M^), which 

consist of polynomially many qubits. Similarly an m-tum quantum prover P is a mapping from a; to a set of 
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circuits {P^, . . . , pr"^+i/2l j g^ch acting on registers (P, M). No restrictions are placed on the complexity 
of this mapping or the size of P. We will denote the z-th prover, his registers and transformations with 
a subscript i. We will always assume that each prover Pi is compatible with the verifier, i.e. that the 
corresponding register Mj is the same for the verifier and the prover for 1 < i < A;. 

The protocol {V,Pi,..., P^, \^)) is the alternating application of prover's and verifier's circuits to the 
state |0 • • • 0) ® |^>) in registers (V, Mi, ... , M^, Pi, ... , Pfc). For odd m, circuits • • • P^, V^, 
Pf • • • C3 P^, and so on are applied in sequence terminating with y"^+i/2 jf even, the sequence 
begins with followed by P^^ - ■ - ^P^ and so on up to y"»+2/2 -y^e say that {V, Pi, . . . , Pk,\^)) accepts 
X if the designated output qubit in V is measured in |1) at the end of the protocol and call the probability 
with which this happens Pacdx, V, Pi, . . . , Pk,\^)). 

Definition 8. A language L is in QMIP(fe, m, c, s) iff there exists an m-turn polynomial-time quantum 
verifier V for quantum A; -prover interactive proof systems such that, for every input x: 

(Completeness) if a; G L, there exist m-tum quantum provers Pi, . . . ,Pk and an a priori shared state | $) 
such that pacc(a:^, V,Pi, . . . ,Pk,\^)) > c, 

(Soundness) if x L, for any m-tum quantum provers P[, . . . ,P'f. and any a priori shared state |<I>'), 
p^,,{x,V,P[,...,Pl,W)) < s. 

Next, we introduce the notions of public-coin quantum verifier and public-coin QMIP systems. These 
are natural generalizations of the corresponding notions in the single-prover case introduced by Mar- 
riott and Watrous IIMW05II . Intuitively, a quantum verifier for quantum multi-pro ver interactive proof sys- 
tems is public-coin if, at each of his turns, after receiving the message registers from the provers, he first 
flips a fair classical coin at most a polynomial number of times, and then simply broadcasts the result of 
these coin-ilips to all the provers. No other messages are sent from the verifier to the provers. At the end 
of the protocol, the verifier applies some quantum operation to the messages received so far, and decides 
acceptance or rejection. 

Formally, an m-tum polynomial-time quantum verifier for A; -prover interactive proof systems is public- 
coin if each of the circuits ,V'^ , . . . , Fr™-i/2l implements the following procedure: V receives the 
message registers Mj from the provers, stores them in his private space, and then flips a classical fair coin 
at most givi times to generate a public string rj , records rj in his private space, and broadcasts r j to all the 
provers. The circuit y r{™+i)/2l some unitary transformation controlled by all the recorded random strings 
rj for 1 < j < \{m — l)/2] . A QMIP system is public-coin if the associated verifier is public-coin, and we 
define QMIPp^b(A;, m, c, s) to be the class of languages in QMIP(A;, m, c, s) with a public-coin verifier. 

3 QMIP with Perfect Completeness Equals General QMIP 

In this section we prove Theorem [3l showing that any QMIP system with two-sided bounded error can be 
transformed into a one with one-sided bounded error of perfect completeness without changing the number 
of provers. For the case of a single prover, this was shown by Kitaev and Watrous MKWOOII . but their proof 
relies on the single prover performing a global unitary on the whole system, and therefore does not carry 
over to the multi-prover case (no prover has access to the other prover's private spaces and the private space 
of each prover might be arbitrarily large, so we cannot use the verifier to transfer those spaces from one 
prover to the other). 

First, we introduce the notion of perfectly rewindable QMIP systems. 

Definition 9. Let s < ^. A language L has a perfectly rewindable m-turn quantum -prover interactive 
proof system with soundness at most s iff there exists an m-turn polynomial-time quantum verifier V, such 
that, for every input x: 



6 



(Perfect Rewindability) if x G L, there exists a set of m-turn quantum provers Pi, . . . ,Pk such that 
max|$^ Pax:c{x, V, Pi, . . . , Pk, \^)) = ^, where the maximum is taken over all a priori shared states 
I <I>) prepared by Pi , . . . , P^- 

(Soundness) if x ^ L, for any set of m-tum quantum provers P{, . . . , and any a priori shared state |$'), 

Pacc(x,y,P^...,P^,|<J>')) < J 

We first show how to modify any general QMIP system (with some appropriate conditions on complete- 
ness and soundness) to a perfectly rewindable one with the same k and m. 

Lemma 10. Let c> ^ > s. Then, any language L in QMIP(A;, m, c, s) has a perfectly rewindable m-turn 
quantum k-prover interactive proof system with soundness at most s. 

Proof. Let L be a language in QMIP(/i;, m, a, s) and V be the corresponding m-turn quantum verifier. We 
slightly modify V to construct another m-turn quantum verifier W for a perfectly rewindable proof system 
for L. The new verifier W, in addition to the registers of V, prepares another single-qubit register B, 
initialized to |0). For the first m — 2 turns, W simply simulates V. In the (m — l)-st turn, a turn for the 
verifier, W proceeds like V would, but sends B to the first prover in addition to the qubits V would send in 
the original proof system. In the m-th turn the first prover is requested to send B back to W, in addition to 
the qubits sent to V in the original proof system. Then W proceeds for the final decision procedure like V 
would, but accepts iff V would have accepted and B is in the state |1)J1 Notice that W accepts only if V 
would have accepted, so the soundness is obviously at most s in the constructed proof system. 

For perfect rewindability we slightly modify the protocol for honest provers in the case x G L. Let |$*) 
be the a priori shared state in the original proof system that maximizes the acceptance probability for the 
original honest provers and let Pmax be that maximal acceptance probability. The new provers use |$*) as 
the a priori shared state and simulate the original provers except for the last turn. The only difference is that 
in the last turn the first prover proceeds as Pi would, and applies a one-qubit unitary T to the qubit in B, 

V -^Fmax V ^p'ma.x 

From the construction it is obvious that the maximum accepting probability is exactly equal to ^ and that 
this maximum is achieved when the provers use the a priori shared state | <!>*). □ 

Now, we are ready to show the following lemma. 

Lemma 11. Letc> ^ and s < ^. Then, QMIP(A;, m, c, s) C QMIP [k, 3m, 1, i + 2^ + ^). 

Proof. The intuitive idea behind the proof of this lemma, using Watrous' "quantum rewinding technique", 
has already been explained in the introduction. We add some more intuition before proceeding to the tech- 
nical proof. Using Lemma [TO] we can assume that in the case of honest provers (x G L) the acceptance 
probability with shared state | $* ) is exactly ^ and furthermore that no other a priori shared state achieves 
higher acceptance probability. The acceptance probability when the provers use any a priori shared state |<I>) 

can be written as pacc = HHaccQI'I') f = llHaccQninitl^') f , where |^) = |0 • • • 0)(v,Mi,...,Mfc) ® 1^)' Q 
is the unitary transformation induced by the QMIP system just before the verifier's final measurement, Ilinit 

^Note that both for completeness and soundness we first fix the provers' transformations and then maximize over all a priori 
shared states, which hence have a fixed dimension. 

^This protocol can be brought into the standard form where only one qubit is measured to decide acceptance. Call Y the register 
containing the designated output qubit for V. W adds a new single-qubit output register X, initialized to |0). At the end of the 
protocol W performs a Toffoli gate on the qubits in B, Y, X controlled by the qubits in (B, Y). Clearly X will contain 1 1) iff both 
B and Y contain 1 1) . 
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is the projection on |0 • • • 0)(v,Mi,...,Mfc) ^mic is the projection on |1) of the designated output qubit. In 
other words the state |^'*) = |0 • • • 0)(v,Mi,...,Mfc) ^ 1*^**) rnaximizes the expression 

max(* I Hinit Q"^ Hacc QHinit | , 

meaning that the matrix M = IlinitQ^naccQninit has maximum eigenvalue | with corresponding eigenvec- 
tor l^f*). Now we apply the quantum rewinding technique by performing forward, backward, and forward 
executions of the proof system in sequence. Perfect completeness follows from the fact that the initial state is 
an eigenvector of M with the corresponding eigenvalue exactly i, exactly as in the zero-knowledge scenario 

of nwatoei . 

The challenge of this construction lies in the proof of soundness. If the input is a no-instance, the 
maximum eigenvalue of any matrix M corresponding to our proof system is small. This shows that if the 
dishonest provers are actually "not so dishonest", i.e., if they use the same strategies for all of the three 
(forward, backward, and forward) executions of the original proof system, the acceptance probability is 
still small. However, the problem arises when the dishonest provers change their strategies for some of the 
three executions. To settle this, we design a simple protocol that tests if the backward execution is indeed a 
backward simulation of the first forward execution. The verifier performs the original rewinding protocol or 
this invertibility test uniformly at random without revealing which test the provers are undergoing. Honest 
provers always pass this invertibility test, and thus perfect completeness is preserved. When the input is a 
no-instance, this forces the provers to use approximately the same strategies for the first two executions of 
the proof system, which is sufficient to bound the soundness. 

We now proceed with the technical details. Let L be a language in QMIP(A;, m, c, s) and let V be 
the verifier in the perfectly rewindable m-turn quantum A;-prover interactive proof system for L as per 
Lemma[lOl We construct a 3m-tum quantum verifier 1^ of a new quantum A;-prover interactive proof system 
for L. W has the same registers as V in the original proof system, and performs one of two tests, which we 
call "Rewinding Test" and "Invertibility Test". The exact protocol is described in Figured] where 
for simplicity it is assumed that m is even (the case in which m is odd can be proved in a similar manner). 

Completeness: Assume the input x is in L. From the original provers Pi , . . . , we design honest 
provers i?i , . . . , P^ for the constructed 3m-tum system. Each new prover Ri has the same quantum register 
Pi as Pi has, and the new provers initially share |$*). For the first m turns each Ri simulates Pi. At the 

(m + 2j)-th turn for I < j < applies (P-^ y (i.e. the inverse of the (m — 2j + 2)-nd turn of the 

original Pj) . Finally, for the (2m + 2j)-th turn for 1 < j <^;, Ri again applies P/. 

It is obvious from this construction that the provers Ri, . . . ,Rk can convince W with certainty when W 
performs the Invertibility Test. We show that Ri, . . . ,Rk can convince W with certainty even when 
W performs the REWINDING TEST. In short, this holds for essentially the same reason that the quantum 
rewinding technique works well in the case of quantum zero-knowledge proofs, and we will closely follow 
that proof. 

For notational convenience, let P-' = Pf (8> • • • (8) P^ for 1 < J < ^^'^ 
Q = yf +ipf ...pV^ Recall that Ml^-*) = where M = HinitQ^naccQninit- De- 

fine the unnormalized states |(/)o), I'/'i), |V'o)> and \ipi)by 

\^0) = HaccQI**), |01> = n,ejQ|^*), m = ni„itg^|<A0>, l^l) = nnicgalQ^ I -/-o) , 

where Ilmegai = I{v,Mi,...,Mk) ~ ^'mit is the projection onto states orthogonal to |0- • • 0)(v.Mi,...,Mfe) and 
Ilrej = -f(v,Mi,...,Mfc) " Ilacc- Then, noticing that l^-*) = Ilinitl^'*), we have 

IV'o) = ninitQ^naccQI^*) = HinitQ^naccgninitl^'*) = Afi^-*) = ^\^*), 
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Verifier's Protocol for Achieving Perfect Completeness 

1 . Simulate the original verifier for the first m turns. 

2. Choose b G {0, 1} uniformly at random. If 6 = 0, move to the REWINDING TEST described in StepO 
while if 6 = 1, move to the INVERTIBILITY TEST described in SteplH 

3. (Rewinding Test) 

3.1 Apply +^ to the qubits in (V, Mi, ... , Ma,). Accept if the content of (V, Mi, ... , Mfe) cor- 
responds to an accepting state in the original proof system. Otherwise apply (yT+^)t to the 
qubits in (V, Mi, . . . , M^), and send Mj to the ith prover, for 1 < i < A;. 

3.2 For j = Y down to 2, do the following: 

Receive Mj from the ith prover, for 1 < i < A;. Apply (V^-')^ to the qubits in (V, Mi, . . . , M^), 
and send Mj to the ith prover, for 1 < i < A;. 

3.3 Receive Mj from the ith prover, for 1 < i < A;. Apply (V^)^ to the qubits in (V, Mi, ... , M^). 
Perform a controlled-phase-flip: multiply the phase by —1 if all the qubits in (V, Mi, ... , M^) 
are in state |0). Apply Vi to the qubits in (V, Mi, . . . , M^), and send Mj to the ith prover, for 

l<i<k. 

3.4 For j = 2 to do the following: 

Receive Mj from the zth prover, for 1 < i < A;. Apply to the qubits in (V, Mi, . . . , M^.), and 
send Mj to the ith prover, for 1 < i < A;. 

3.5 Receive Mj from the ith prover, for 1 < i < A;. Apply V~~^^ to the qubits in (V, Mi, ... , Mfc). 
Accept if the content of (V, Mi, . . . , M^) corresponds to an accepting state in the original proof 
system, and reject otherwise. 

4. (INVERTIBILITY TEST) 

4. 1 Send M j to the ith prover, for 1 < i < A;. 

4.2 For j = Y down to 2, do the following: 

Receive Mj from the ith prover, for 1 < i < A;. Apply (V^)^ to the qubits in (V, Mi, . . . , M^), 
and send Mj to the ith prover, for 1 < i < A;. 

4.3 Receive Mj from the ith prover, for 1 < i < A;. Apply (V^)^ to the qubits in (V, Mi, ... , M^). 
Accept if all the qubits in (V, Mi, . . . , M^) are in state |0), and reject otherwise. 



Figure 1: Verifier's protocol for achieving perfect completeness 

and thus, 

Q^<Pi) = Q^u,,^Q\^*) = \^*)-Q^n,,,Q\^*) = \^^,*)-Q^^o) = 2|^o>-(IV'o) + IV'i» = 

Hence, the state just before the controlled-phase-flip in Step 3.3 when entering the REWINDING TEST is 
exactly 
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Since Hinitl^o) = IV'o) and IlinitlV'i) = 0' the controUed-phase-flip changes the state to 

^ -(|Vo) + |Vi)) = -^^Q^I<Ao). 



mi)\\ mi) 

Therefore, the state just after is apphed in Step 3.5 is exactly 



the Rewinding Test and accepts in Step 3.1. This happens with probability ^, where 



and thus, the fact that Ilaccl'/'o) = |</'o) implies that the verifier W always accepts in Step 3.5. 

Soundness: Now suppose that the input x is not in L. Let R'^, . . . , R'^. be any k provers for the con- 
structed 3m-tum proof system, and let be any a priori shared state. Let R^ be the transformation that R'- 
applies at his 2j-th turn, for 1 < i < A; and 1 < j < ^ and let Z denote the controUed-phase-flip operator 
in Step 3.3. Call R^ = r{(^---(^ rI for 1 < t < ^, and define 

- — ' m m ■ — 'o o — 1 1 

\Jx = R^V^ ■■■R^V^R^V\ 

U2 = (yi)ti?™ . . . (yf -i)ti?f +2(yf )ti?f +1, 
c/3 = i?^yf . . . 

There are three cases of acceptance in the constructed proof system. In the first case, the verifier W performs 

pi 

2 

In the second case, the verifier W performs the REWINDING TEST and accepts in Step 3.5. This happens 
with probability ^, where 

Finally, in the third case, the verifier W performs the INVERTIBILITY TEST and accepts in Step 4.3. This 
happens with probability where 

P3 = minitU2Ui\i;)f. 

Hence, the total probability pacc that W accepts x when communicating with R[, . . . , is given by 
Pace = ^{pi + P2 +P3)- From the soundness condition of the original proof system, it is obvious that 
Pi < s. We shall show that P2 < 1 + + 4s — ps. This imphes that Pacc ^ | + 2a/s + ^, and the 
soundness condition follows. 

Using the triangle inequality, we have that 



Pi = ||naccV^-+'t/il^''\l|2 



\\U^cV'^+^UsZU2iV'^+^)^U,,^V'^+^Ui\ 

< \\U,,,vf+^U3ZU2{Vf+^)^U,,iVf+^Ui\^P) -U^,V'f+^UsZU2Ui\ 

+ ||nacc^^+'f/3^ni,itC/2^7i|^)||. (1) 

The first term of the right-hand side of inequality ([1]) can be bounded from above as follows: 

l|nacc^^+'c/3^?:/2(^^+')^nrejy^+i?7i|V') -nacc^^+'c/3^f/2^:/ilV')ll 

< \\V'^+^U3ZU2iVf+yu,,^V'^+^Ui\ij) -V'^+^U3ZU2Ui\7p)\\ 

= +i)tnrejF^+^f/i|V') - Ui\%b)\\ = ||n,ejFt+i[/i|V') - 
= II -naccV'^+'f/i 1^)11 = ||nacci^^+'f/i|V')ll = Vp^<V^. 
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The second term of the right-hand side of inequality ([Hi can be bounded from above as follows: 



\\U,ccV'^+^U3ZU2Ui\^) - U,ccV'^+^U3ZUi^itU2Ui\iP)\\ 

< iiyf+if/sZt/aC/ilV') -v^^+'c/3^ni„itC/2?7i|v)|| 

= \\U2Ul\^P) -U;^i,U2Uim = ||nniegaif/2f/i|V')ll = 

Here the last equality follows from the facts that U2Ui\iJj) = ninitf^2f^i|V') + niiiegaiC^2f^i|V') is a unit vec- 
tor, that IlinitU2Ui\ilj) and niiiegaif^2C^i|V') are orthogonal, and that 1111^11^72^^1 IV') IP = P3- 

Finally, since ninitf^2f^i|V') is an unnormalized state parallel to some legal initial state and 
Zllinit = — Hinit from the definitions of Z and Ilinit, the third term of the right-hand side of inequality ^ 
can be bounded as follows by using the soundness condition of the original proof system: 

||nacc^^+'C/3^ninit?72^7l|^>|| = ||-nacc^^+'^73ninitt/2C/l|V>|| = ||naccV^^+'C/3ninitt/2^7i|^)|| < ^. 

Putting everything together, we have 

P2 = \\n^cVf+^UsZU2{vf+^)^u,,^vf+^Ui\ip)f 

< {2^ + ^l-psf = 1 + 4:^/s{l-p3) + 4s - p3 < 1 + 4^ + 4s - p3, 
as desired. □ 
Now Theorem |3] follows immediately from Lemma [TT]by appropriately applying sequential repetition. 



4 Parallelizing to Three Turns 

In this section we prove Theorem |4l which reduces the number of turns to three without changing the 
number of provers. This is done by repeatedly converting any (2' + l)-turn QMIP system into a (2^^^ + 1)- 
tum QMIP system where the gap decreases, but is still bounded by an inverse-polynomial. We first show 
the following lemma. 

Lemma 12. Let > s. Then, QMIP(A;, 4m + 1, c, s) C QMIP {k, 2m + 1,^^, i^). 

Proof. Let L be a language in QMIP(/c, Am + 1, c, s) and let V be the corresponding (4m + l)-turn quan- 
tum verifier. We construct a (2m + l)-tum quantum verifier W for the new quantum A;-prover interactive 
proof system for L. The idea is that W first receives the snapshot state that V would have in ( V , M i , . . . , M ^ ) 
just after the (2m + l)-st turn of the original system. W then executes with equal probability either a 
forward-simulation of the original system from the (2m + l)-st turn or a backward-simulation of the origi- 
nal system from the (2m + l)-st turn. In the former case, W accepts if and only if the simulation results in 
acceptance in the original proof system, while in the latter case W accepts if and only if the qubits in V are 
in state 1 • • • 0) The details are given in Figure [21 

Completeness: Assume the input x is in L. Let Pi,...,Pk be the honest quantum provers 
in the original proof system with a priori shared state |<I>). Let \ip2m+i) be the quantum state in 
(V, Ml, . . . , Mfc, Pi, . . . , Pfc) just after the (2m + l)-st turn in the original proof system. We construct 
honest provers i2i, . . . , i?^ for the new (2m + l)-tum system. In addition to V and Mi, Ri prepares Pi in 
his private space. Similarly, in addition to Mj, Ri prepares Pj in his private space for 2 < i < k. Ri, . . . ,Rk 
initially share |V'2m+i) in (V, Mi, . . . , M^, Pi, . . . , P^). At the first turn of the constructed proof system, 

''Recall that in the original proof system the first turn was done by the provers, hence we do not measure the qubits in each Mi 
here. 
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Verifier's Protocol to Reduce the Number of TUms by Half 

1. Receive V and Mi from the first prover and Mj from tiie ith prover for 2 < i < fe. 

2. Choose b G {0, 1} uniformly at random. 

3. If 6 = 0, execute a forward-simulation of the original proof system as follows: 

3.1 Apply to the qubits in (V, Mi, ... , M^). Send 6 and Mj to the ith prover, for 1 < i < A;. 

3.2 For j = m + 2 to 2m, do the following: 

Receive Mj from the ith prover, for 1 < i < A;. Apply to the qubits in (V, Mi, . . . , Mjt). Send 

M j to the ith prover, for 1 < i < k. 

3.3 Receive Mj from the ith prover, for 1 < i < fc. Apply y2m+i q^^^^j^ in (V, Mi, ... , M^). 
Accept if the content of (V, Mi, . . . , M^) is an accepting state of the original proof system, and 
reject otherwise. 

4. If 6 = 1, execute a backward-simulation of the original proof system as follows: 

4. 1 Send b and M j to the ith prover, for 1 < i < k. 

4.2 For j = m down to 2, do the following: 

Receive Mj from the ith prover, for 1 < i < fc. Apply (F^)^ to the qubits in (V, Mi, ... , M^). 
Send Mj to the ith prover, for 1 < i < A;. 

4.3 Receive Mj from the ith prover, for 1 < i < A. Apply (V^)^ to the qubits in (V, Mi, ... , M^). 
Accept if the qubits in V are in state |0 . . . 0), and reject otherwise. 



Figure 2: Verifier's protocol to reduce the number of turns by half. 



Ri sends V and Mi to W, while each for 2 < i < A, sends Mi to W. At the (2j - l)-st turn for 
2 < J < m + 1, if 6 = 0, each Ri applies p^'^^ (i.e. Pj's transformation at the {2m + 2j — l)-st turn in 
the original system) while if 6 = 1, each Ri applies (p™~J'+^)t (j g the inverse of P^'s transformation at 
the {2m — 2j + 5)-th turn in the original system) to the qubits in (Pj, Mj), for 1 < i < A;. The provers 
Ri,. . . ,Rk can then clearly convince W with probability at least c if 6 = 0, and with certainty if 6 = 1. 
Hence, W accepts every input .t G L with probability at least 

Soundness: Now suppose that x is not in L. Let R'l,. . . , i?'^ be arbitrary provers for the constructed 
proof system, and let IV') be an arbitrary quantum state that represents the state just after the first turn in the 
constructed system. Suppose that, at the (2j — l)-st turn for 2 < j < m -I- 1, each R'- applies Xf if 6 = 
and 1^-^ if 6 = 1, for 1 < i < A and write = x( ■ ■ ■ xi and = • • • Yj}. Define unitary 
transformations Uq and Ui by Uq = \/2m+i^m+iy2m . . . and Ui = (yi)ty™+i . . . (y™)ty2^ 

and let \a) = [[n^Jjo \ ^)\\ '^s^ccUo\4)) and = pi— ;i7jj^ninit^7i|V')> where Ilacc is the projection onto 
accepting states in the original proof system and Ilinit is the projection on |0 • • • 0)v in V. Then 

||naccC/o|V')ll = 

and thus, the probability pc of acceptance when 6 = is given by po = F {^UQ\a) {a\UQ , {ip) (ipl)'^ . Simi- 
larly, the probabihty pi of acceptance when 6 = 1 is given by pi = F{ul\(3){P\Ui, {tp) {tpl)'^ . Hence the 
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probability pacc that W accepts x when communicating with R[, . . . , R'f^ is given by 

Pacc = ^(pO+Pl) = ^(i^(t/c)l«)(«|f^O,|V')(V'l)' + i^(f/|l/?)(/3|f/l,|V')(^l)'). 

Therefore, from Lemma |7J we have 

Pace < \ (l + F{U^Q\a){a\Uo,ul\p){p\Ui)) = ^ (l + F{\a){a\,UoUl\(3){(3\UiU^o)) ■ 

Note that Ilinitl/?) = and that |/3) is a legal quantum state which could appear in the original proof system 
just after the first turn. Hence, from the soundness property of the original proof system, 

||naccf/oC^ll/3)||^ = ||nacc^^'"+^^"+^V'^"'---^V'"+^(y2)tym...(ym+l)tyl|^)||2 < 

since V^, (y™+i)t, • • • , y™, (y^)^, . . . , y2m^^m+i y2m+i ^^^^ ^ j^g^j sequence of trans- 

formations in the original proof system. 

Now, from the fact that Ilaccla) = |a), we have 

F{\a){a\,UoUl\^){(3\uM) = \{a\UoUl\^)\ = |(a|nacct/o[/^|/3)| < ||naccf/of/Jl/3)ll < V^- 

Hence the probability pacc that W accepts x is bounded by pacc < 5 + ^> which completes the proof. □ 

Now, by repeatedly applying the construction in the proof of Lemma [T2j we can reduce the number 
of turns to three. The proof is straightforward, but we need to carefully keep track of the efficiency of the 
constructed verifiers in each application, since the construction is sequentially applied a logarithmic number 
of times. 

Lemma 13. For any m > 4: and any c, s such that e = 1 — c and 6 = 1 — s satisfy 6 > 2(m — l)e, 
QMlPik, m,l-e,l-5)Q QMIP (^fc, 3, 1 - 1 - j;^). 

Proof. Let I be such that 2' + 1 < m < 2'+^ + 1. Trivially, QMIP(A;, m, c, s) C QMIP(A;, 2'+^ + 1, c, s). 
We show QMIP(A;, 2'+^ + 1, 1 - e, 1 - ,5) C QMIP(fc, 3, 1 - 1 - j:^^). 

Let L be a language in QMIP(A;, 2'+^ + 1,1 - e,l - 6) and let be the corresponding (2^+^ + 1)- 
tum quantum verifier. Given a description of 1/^^) one can compute in polynomial time a description of 
a (2^ + l)-turn quantum verifier V^^^ following the proof of Lemma [121 The resulting proof system has 
completeness at least 1 — § and soundness at most ^ + ^^2'^ — ^ ~ i- Crucially, the description of V^^^ is 
at most some constant times the size of the description of V^^^ plus an amount bounded by a polynomial in 
\x\. Hence it is obvious that, given a description of V^^\ one can compute in polynomial time a description 
of a three-turn quantum verifier V^^^ by repeatedly applying the construction in the proof of Lemma [12] 
I times. The resulting proof system has completeness at least 1 — ^ > 1 — and soundness at most 
1 - 4 < 1 - , \y^ , as desired. □ 

Theorem [4] now follows immediately from Theorem [3] and Lemma [T3l For every p £ poly there is an 
m' G poly such that QMIP(fc, m, c, s) C QMIP(A;, m' , 1, 2'^) C QMIP {k, 3,1,1- f^'^iyi ) ■ Now it 

suffices to observe that ,-^^^^2 £ poly~^. 
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5 Public- Coin Systems 



In this section we present the last part to complete the proof of Theorem [T] We show how any three-turn 
QMIP system with sufficiently large gap can be converted into a two-turn QMIP system with one extra 
prover, in which the gap is bounded by an inverse-polynomial. Although we also have a direct proof for 
this, given in Appendix |Bl we will take a detour by showing how (i) any three-turn QMIP system with 
sufficiently large gap can be modified to a three-turn public-coin QMIP system with inverse-polynomial gap 
without changing the number of provers, and (ii) any three-turn public-coin QMIP system can be converted 
into a two-turn QMIP system without changing completeness and soundness, by adding an extra prover. 
The added benefits of our detour are a proof of the equivalence of public-coin QMIP systems and general 
QMIP systems (Theorem|5]l and a proof that QIP and hence PSPACE has a two-prover one-round quantum 
interactive proof system of perfect completeness and exponentially small soundness (Corollary [6]) 



5.1 Converting to Public-Coin Systems 

In this subsection we prove Theorem |5] showing that any language that has a quantum A;-prover interactive 
proof system with two-sided bounded error also has a public-coin quantum /c-prover interactive proof system 
of perfect completeness and exponentially small soundness. 

We first show that any three-turn QMIP system with sufficiently large gap can be modified to a three-turn 
public-coin QMIP system with the same number of provers and inverse-polynomial gap. In the single-prover 
case, Marriott and Watrous [MWOS] proved a similar statement. Our proof is a generalization of their proof 
(Theorem 5.4 in Ref. [MW05J) to the multi-prover case. 

Lemma 14. For any c, s satisfying <? > s, QMIP(A;, 3, c, s) C QMIPp„t,(fc, 3, ^-^). Moreover, the 
message from the verifier to each prover in the public-coin system consists of only one classical bit. 

Proof. Let L be a language in QMIP(A;, 3, c, s) and let V be the corresponding three-turn quantum verifier. 
We construct a new verifier W for the public-coin system. The idea is that in the first turn W receives the 
reduced state in the original register V of the snapshot state just after the second turn (i.e., just after the 
first transformation of V) in the original proof system. W then flips a fair classical coin h G {0, 1} and 
broadcasts h to the provers. At the third turn the ith prover is requested to send the register M j of the original 
proof system, for 1 < i < A;. If 6 = the qubits in (V, Mi, . . . , M^) should form the quantum state the 
original verifier V would possess just after the third turn of the original proof system. Now W applies to 
the qubits in (V, Mi, . . . , M^) and accepts if and only if the content of (V, Mi, ... , M^) is an accepting state 
of the original proof system. On the other hand, if 6 = 1, the qubits in (V, Mi, . . . , M^) should form the 
quantum state the original verifier V would possess just after the second turn of the original proof system. 
Now W applies {V^)'^ to the qubits in (V, Mi, ... , Mjt) and accepts if and only if all the qubits in V are in 
state 1 0) . The detailed description of the protocol of W is given in Figure [3l The analysis of completeness 
and soundness of the constructed proof system is nearly identical to the one in Lemma [12] and is relegated 
to Appendix El □ 

Theorem [5] now follows directly from Theorem |4] and Lemma [14] together with se- 
quential repetition: Theorem |4] and Lemma [14] imply that there is a p' G poly 
such that QMIP(fc,m,c,s) C QMIP (A;, 3,1,1 - ^) C QMIPpub(/i:, 3,1,1 - ^), since 

^The direct proof in AppendixlBlwould only give the weaker corollary that QIP has a two-prover one-round quantum interactive 
proof system of perfect completeness, but with soundness only exponentially close to i . This is indeed weaker than what we can 
show with the detour, since it is not known how to amplify the success probability of QMIP systems without increasing either the 
number of provers or the number of turns. 
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Verifier's Protocol in Three-Turn Public-Coin System 



1. Receive V from the first prover and receive nothing from the ith prover, for 2 < i < A;. 

2. Choose b G {0, 1} uniformly at random. Send b to each prover. 

3. Receive Mj from the ith prover for 1 < i < A;. 

3.1 If 6 = 0, apply V"^ to the qubits in (V, Mi, ... , M^). Accept if the content of (V, Mi, ... , M^) 
is an accepting state of the original proof system, and reject otherwise. 

3.2 If 6 = 1, apply (V^)^ to the qubits in (V, Mi, ... , M^). Accept if all the qubits in V are in state 
|0), and reject otherwise. 



m' G polysuchthatQMIPp^b(A;,3,l,l - ^) C qMlPp^^{k,m' ,1,2-p). 
5.2 Parallelizing to Two T\irns 

Finally, we prove the last piece of Theorem[T]by showing that any three-turn public-coin quantum /c -prover 
interactive proof system can be converted into a two-turn (i.e., one-round) {k + l)-prover system without 
changing completeness and soundness. The idea of the proof is to send questions only to the first k provers 
to request the original second messages from the k provers in the original system and to receive from the 
(A; + l)-st prover the original first messages of the k provers in the original system without asking him any 
question. 

Lemma 15. QMIPp^|3(A;, 3, c, s) C QMIP(/c + 1, 2, c, s). 

Proof. Let L be a language in QMIPp^|3(A;, m, c, s) and let V be the corresponding verifier. 

The protocol can be viewed as follows: At the first turn, V first receives a quantum register Mj from 
the ith prover, for each I < i < k. V flips a fair classical coin qm times to generate a random string r of 
length qm, and broadcasts r to all the provers. V also stores r in a quantum register Q in his private space. 
Finally, at the third turn, V receives a quantum register Nj from the ith prover, for each 1 < i < A;. ^ then 
prepares a quantum register V for his work space, where all the qubits in V are initiahzed to state |0), applies 
the transformation V^^^^ to the qubits in (Q,V,Mi,...,Mjt,Ni,...,Nfc), and performs the measurement 
n = {naccinrcj} to decide acceptance or rejection. We construct a two-turn quantum verifier W for the 
new quantum (A; + l)-prover interactive proof system for L. 

The constructed prover W starts with generating a random string r of length qm in the first turn, and 
sends r to the first k provers. W does not send any question to the last prover. In the second turn W 
receives N j from the ith prover expecting the original second message from the original ith prover, for 
1 < i < A:. From the (A; + l)-st prover W receives k quantum registers Mi, ... , M^, expecting the original 
first messages of the original k provers. W then proceeds like V would. A detailed description of the 
protocol of W is given in Figure IH 

Completeness: Assume the input x is in L. Let Pi, . . . , be the honest provers in the original proof 
system. Let iV'i) be the quantum state in (Mi, . . . , M^, Pi, ... , P^) in the original proof system just after the 
first turn. We construct honest provers Pi, ... , P^+i for the two-turn system. For I < i < k, Ri prepares 



Figure 3: Verifier's protocol in three-turn public-coin system. 




sequential repetition gives that for all p G poly there exists an 
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Verifier's Protocol in One-Round System 

1 . Prepare a quantum register V, and initialize all the qubits in V to state 1 0) . Flip a fair classical coin 
qm times to generate a random string r of length ^m- Store r in a quantum register Q, and send r to 
the ith prover for 1 < i < A;. Send nothing to the (/c + l)-st prover. 

2. Receive a quantum register N, from the ith prover, for 1 < i < /c, and k quantum registers Mi, . . . , 
from the {k + l)-st prover. Apply y^"'^^ to the qubits in (Q, V, Mi, ... , M^, Ni, . . . , N^) and accept 
if and only if the content of (Q, V, Mi, . . . , M^, Ni, . . . , N^) is an accepting state of the original proof 
system. 



Figure 4: Verifier's protocol to reduce the number of turns to two. 

quantum register Pj in his private space, where some of the qubits in Pj form the quantum register Nj, 
while Rk+i prepares the quantum registers Mi, . . . , Mj. in his private space. Ri, . . . , Rk+i initially share 
iV'i) in (Ml, . . . , Mfc, Pi, ... , Pfc). At the second turn, Rk+i just sends the qubits in (Mi, . . . , M^,) to W, 
while each Ri, after receiving r, just behaves like Pi would at the third turn of the original system, and then 
sends Nj, which is a part of Pj, to W , for 1 < i < /c. It is obvious from the construction that the provers 
iZi, . . . , Rk+i can convince W with the same probability with which Pi, . . . ,Pk could convince V, which 
is at least c. 

Soundness: Now assume the input x is not in L. Let R[, . . . , R'^j^i be any provers for the constructed 
proof system and let R'^ be the quantum register consisting of all the qubits in the private space of R'^, for 
1 < i < fe + 1. For R'k^i, some of the qubits in R'^,^i form the register M = (Mi, . . . , M^). Let \ip) be 
an arbitrary quantum state in (R'^^, . . . , R'^-^-i) that is initially shared by R'^, . . . , R'^^i- Suppose that, at the 
second turn, each R^ applies X^^^ , for 1 < i < k, if the message from W is r. Without loss of generality, we 
assume that R'^^i does nothing, and just sends the qubits in (Mi, . . . , M^) at the second turn, since R'^^i 
receives nothing from W (that R'^^i applies some transformation Z is equivalent to sharing Z\Tp) at the 
beginning). 

Consider three-turn quantum provers P{ , . . . , for the original proof system with the following prop- 
erties: (1) each Pi prepares the quantum register R^ in his private space, for 1 < i < k, (2) P[, . . . ,P'^^ 
initially share \ip) in (R'^^, . . . , where all the qubits in R'^^i except for those in (Mi, . . . , Mjt) are 

shared arbitrarily, (3) at the first turn, each P/ sends Mj to y, for 1 < i < k, and (4) if the message from V 
is r, at the third turn, each P/ applies x'i''^ to the qubits in R^, for 1 < ? < A;. It is obvious that these provers 
P[, . . . ,P'j, can convince the original verifier V with the same probability that R[, . . . , R'^j^i can convince 
W. Hence, the probability W accepts x is at most s, as desired. □ 

Now Theorem [T] follows from Theorem |4] and Lemmas [14] and \T5\ Corollary [6l claiming 
QIP C QMIP(2, 2, 1, 2~P) for any p G poly follows directly from Lemma [T5] and the fact shown by Mar- 
riott and Watrous [MW05II that any language in QIP can be verified by a three-message public-coin quan- 
tum interactive proof system of perfect completeness with exponentially small error in soundness (i.e., 
QIP C QMAM(1, 2-P) for any p G poly). 
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Appendix 

A Proof of Lemma [14] 

Proof. Completeness: Assume the input x is in L. Let Pi, . . . , be the honest quantum provers in the 
original proof system with a priori shared state |<&) in (Pi,...,Pfc). Let \ip2) be the quantum state in 
(V, Ml, . . . , Mfc, Pi, . . . , Pfc) just after the second turn in the original proof system. We construct honest 
provers Ri, . . . ,Rk for the public-coin system. In addition to V and Mi, i?i prepares Pi in his private 
space. Similarly, in addition to Mj, Ri prepares Pj in his private space, for 2 < i < fe. Ri, . . . ,Rk initially 
share IV'2) in (V, Mi, . . . , M^, Pi, . . . , P^). At the first turn of the constructed proof system, i?i sends V to 
W, while each Ri, 2 < i < k send nothing to W. At the third turn, if 6 = each Ri applies to the qubits 
in (Mj, Pj) and then sends Mj to W, while if 6 = 1, each Ri does nothing and sends Mj to W. It is obvious 
that the provers Ri, . . . ,Rk can convince W with probability at least c if 6 = 0, and with certainty if 6 = 1. 
Hence, W accepts every input x ^ L with probability at least 

Soundness: Now suppose that x is not in L. Let be arbitrary provers for the con- 
structed proof system, and let be an arbitrary quantum state that represents the state just after the 
first turn in the constructed system. Suppose that at the third turn each P'- applies if 6 = and Yi 
if 6 = 1, for 1 < i < /c and write X = Xi® ■ ■ ■ ® anA Y = Yi ® ■ ■ ■ ®Yk. Note that X and Y are 
unitary transformations that do not act over the qubits in V. Let |a) = \ y Ilacc^^^l^) and 

1/3) = i\t"i Ml -*^mit(^^)^^|V')' where Ilacc is the projection onto accepting states in the original 

proof system and Ilinit is the projection onto states in which all the qubits in V are in state |0). 
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Verifier's Protocol in One-Round System (Direct Construction) 

1. Choose b G {0, 1} uniformly at random. Send b only to the first k provers, and send nothing to the 
{k + l)-stprover. 

2. Receive Mj from the ith prover, for 1 < i < fc, and V from the {k + l)-st prover. 

2.1 If 5 = 0, apply y2 to the qubits in (V, Mi, ... , Mj,). Accept if the content of (V, Mi, ... , M^) 
is an accepting state in the original proof system, and reject otherwise. 

2.2 If 6 = 1, apply (F^)^ to the qubits in (V, Mi, . . . , M^). Accept if all the qubits in V are in state 
|0), and reject otherwise. 



Figure 5: Verifier's protocol to reduce the number of turns to two (direct construction). 

Then, with a similar argument to that in the proof of Lemma [T2l the probabiUty Pacc that W accepts x 
when communicating with R[, . . . , R'f^^i is bounded by 

Pace < ^ (l + F{x\V^)^\a){a\V^X,YW\P)mv')^Y)) 

= i [l + F{\a){a\,V^XYW'\P)mv')^YXHv')^)) . 

Since Ilinitl/?) = is a legal quantum state which could appear just after the first turn in the 
original proof system, V^, (Xyl^),^^ form a legal sequence of transformations in the original proof 

system, and Ilacclck) = |o)> again a similar argument to that in the proof of Lemma [12] shows that 

F(|a)(a|,F2xytyi|/j)(/3|(yi)tyxt(y2)t) < 

Hence the probability pacc that W accepts x is bounded by pacc < ^ + as desired. □ 

B Direct Proof of IModifying Three-Turn Systems to Two-Turn Systems 

For completeness, here we give a direct proof of the fact that any /c -prover three-turn system can be converted 
into a (A; + l)-prover two-turn system. 

Theorem 16. For any c, s satisfying (? > s, QMIP(A:, 3, c, s) C QMIP (k + 1,2,^, 

Proof. The proof is very similar to that of Lemma [T4l Indeed, our starting point is the same, but this time 
we move to a two-turn proof system, instead of a three-turn public-coin system, by adding an extra prover. 
As in Lemma [15] we first broadcast a random bit fe G {0, 1} to all but the extra prover, and ask the extra 
prover to send us a register V and the other provers to send us registers Mj. We then proceed as in Step 3 of 
the proof system given in Lemma [141 a detailed description is given in Figure [5] 

Completeness: This follows immediately from the completeness of the proof system in Lemma [141 in 
Lemma[l4]the first prover sends both V (before receiving the bit b) and Mi (after); here we can imagine that 
before the protocol starts the first prover gives register V to the extra {k + l)-st prover, who sends it to V. 

Soundness: This also follows from the soundness of the proof system in Lemma [14] by combining the 
actions of the first prover and the extra {k + l)-st prover (and thus making the provers only stronger), we can 
construct a set of provers that would succeed in the proof system of Lemma [141 with the same probability as 
they succeed here. □ 
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